There are many theories on the development of user IDs:
The user ID can be unique to the user. Although generic ACIDs, those that allow more than one user to use the same ACID at the same time, are supported with CA Top Secret, it is recommended that each user be assigned a unique ACID to establish accountability for the use of the ACID. This allows you to trace violations and audited events back to the correct individual.
It is also recommended that this ACID not be reused when the user transfers to another department or terminates employment. This allows you to trace the events associated with this user historical.
The user ID can remain unchanged for the user’s full term of employment, even if the user transfers to a different department. The type of ACID usually chosen to follow this theory is a unique ACID that identifies the employee, such as employee name or number.
The opposite of the preceding approach is to choose an ACID that identifies the department or location of the user by ACID prefix and identifies the user with a unique ACID suffix. This type of ACID may be changed when the user transfers to another department because the prefix of the ACID determines the department and the general responsibilities of the user. This type of ACID allows security administrators and even computer operators to quickly determine when, for example, a user outside of the payroll department is attempting to access a payroll resource.
A common theory is to obscure the user ID so that an interested third party cannot easily guess it. While this can be an effective measure to deter unauthorized users from getting into unauthorized accounts, it can be very difficult to administer since it may be just as difficult for the administrator to determine the owner of the ACID without listing the ACID from the CA Top Secret Security File. This can make auditing and violation monitoring more difficult. Although this is an often used and viable approach, it might be better to depend on strong password controls and possibly user authentication devices to deter unauthorized access to accounts without obscuring the user ID.
CA recommends that you determine your approach before you begin to build your Security File and define your users.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|